{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32627", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.558Z", "datePublished": "2026-03-13T20:48:14.442Z", "dateUpdated": "2026-03-16T15:41:05.578Z"}, "containers": {"cna": {"title": "cpp-httplib has a Silent TLS Certificate Verification Bypass on HTTPS Redirect via Proxy", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g"}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"version": "< 0.37.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T20:48:14.442Z"}, "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target \u2014 expired, self-signed, or forged \u2014 without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2."}], "source": {"advisory": "GHSA-c3h8-fqq4-xm4g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32627", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T15:27:59.309320Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:41:05.578Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32627", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T15:27:59.309320Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:31:39.495Z"}}], "cna": {"title": "cpp-httplib has a Silent TLS Certificate Verification Bypass on HTTPS Redirect via Proxy", "source": {"advisory": "GHSA-c3h8-fqq4-xm4g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"status": "affected", "version": "< 0.37.2"}]}], "references": [{"url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g", "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target \u2014 expired, self-signed, or forged \u2014 without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T20:48:14.442Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32627", "state": "PUBLISHED", "dateUpdated": "2026-03-16T15:41:05.578Z", "dateReserved": "2026-03-12T15:29:36.558Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T20:48:14.442Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*", "matchCriteriaId": "41B98CDE-3EAB-4DFB-9B9C-536C21640B8C", "versionEndExcluding": "0.37.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target \u2014 expired, self-signed, or forged \u2014 without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2."}], "id": "CVE-2026-32627", "lastModified": "2026-03-17T19:08:44.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-16T14:19:40.270", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.37.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cpp-httplib", "source": "cna", "vendor": "yhirose"}, "product": "cpp-httplib", "vendor": "yhirose"}], "analysis": {"en": {"generated_at": "2026-03-17T21:06:28.300447+00:00", "value": {"mitigation_remediation": ["Upgrade to cpp-httplib 0.37.2 or newer"], "summary": {"action": "Patch Now", "impact": "TLS Certificate Verification Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is the yhirose:cpp-httplib library for all releases before 0.37.2. Any application that uses this header\u2011only library, configures a proxy, and enables set_follow_location(true) is at risk. The vulnerability is fixed starting with version 0.37.2.", "description_and_impact": "The vulnerability exists in cpp-httplib versions prior to 0.37.2. When a client is configured to use a proxy and automatic redirect following is enabled, any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client accepts any certificate presented by the redirect target, including expired, self-signed, or forged certificates, without raising an error or notifying the application. This flaw, classified as CWE-295, allows an attacker controlling the network to intercept the subsequent HTTPS connection and capture or tamper with credentials or session tokens in transit.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates high severity. The EPSS score is lower than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a relatively low probability of current exploitation. The likely attack vector requires an attacker to control the network path to deliver a malicious redirect response; upon success, confidentiality and integrity of the redirected HTTPS traffic are compromised, allowing full interception or tampering."}}}}, "created": "2026-03-16T09:23:00.323082+00:00", "updated": "2026-03-23T13:39:33.758196+00:00", "vendors": ["yhirose", "yhirose$PRODUCT$cpp-httplib"]}